Wireless Edge Services xl Module 2.0 Update NPI Technical Training June 2007

Transcription

1 ProCurve Wireless Edge Services xl Module v.2 Software NPI Technical Training NPI Technical Training Version: June Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Sample excerpt Rev

2 Discussion Topics Layer 3 RP adoption Internal RADIUS server Firewall and ACLs Internal DHCP server NAT Types of NAT supported Guidelines for configuring NAT Configuring NAT Expanded redundancy groups Improved roaming between modules sflow support GRE Secure NTP Web-Users Other enhancements Rev The Wireless Edge Services xl Module s internal firewall also supports NAT, often in conjunction with the module s role as a router and DHCP server. Rev

3 Types of NAT Dynamic, or many-to-one, NAT translates source address using port address translation (PAT) Static, or one-to-one, NAT translates either source address or destination address WLAN 1 = VLAN Dynamic Source NAT VLAN 1: Wired Network = VLAN : : WLAN 1 = VLAN Static Destination NAT VLAN 8: Server Rev The two types of NAT you will configure on your Wireless Edge Services xl Module are dynamic NAT and static NAT. They have a couple of major differences, the first being that, you can only configure dynamic NAT on source IP addresses, whereas, you can configure static NAT on either source or destination IP addresses. The other big difference is that if you are configuring dynamic NAT, you choose IP addresses by using ACLs, and the Wireless Module NATs the many source addresses specified in that ACL to the same IP address on one of its interfaces (also called overloading the interface). Port address translation (PAT) is what enables the module to translate multiple IP addresses to the same IP address. The module assigns different source port numbers each NATed address so that it can keep track of the device to which return traffic belongs, even though all return traffic is destined to the same IP address. Instead of using ACLs for static NAT, however, you configure IP addresses and port settings manually. I will explain these configurations in more detail a little later on. One more thing to remember: the Wireless Module automatically handles all traffic in a NAT session. So, for example, when the server in the wired network shown in the top section of the slide sends return traffic, it sends it to the apparent source of the traffic. But the Wireless Module forwards the return traffic to the correct wireless station using PAT. Similarly, when the server shown in the bottom half of the slide sends return traffic back to the wireless stations, the Wireless Module automatically conceals the server s address, translating it to the original destination address. Rev

4 Guidelines for Configuring NAT Wireless Module implements NAT on the border between: Inside (private) network Outside (public) network You define inside and outside interfaces for your NAT implementation. Wireless network = Inside Downlink Wireless Edge Services xl Module WLAN VLANs VLANs VLAN 8 VLAN 1 Uplink VLAN 1 RPs VLAN 12 Inside Outside Wired Network = Outside Inside NAT is applied to traffic incoming on inside interfaces The inside traffic is routed to the outside network Rev Before you plan your NAT configuration, you must understand how the Wireless Edge Services xl Module divides interfaces into inside and outside interfaces. In theory, an inside interface in one that connects to a private network, and an outside interface is one that connects to a public network. However, you might define public and private in various ways. The most important distinction between the inside and outside networks is that for whatever reason IP addresses used in one cannot be supported in the other. For example, the Wireless Module might place wireless stations in subnetworks isolated within the wireless world. You decide to define these isolated subnetworks as the inside network and the wired network as the outside network. Devices in the wired network do not know about the subnetworks and IP addresses used in the wireless network. So the Wireless Module applies dynamic source NAT to inside traffic and, in the wired network, masquerades as the source of all traffic from the wireless network. As you can see in the picture, the Wireless Module applies inside NAT on traffic that arrives on inside interfaces. If you configured outside NAT, the module would apply it on traffic incoming on an outside interface, here VLAN 1. Note that the Wireless Module must route traffic in order to perform NAT. Rev

5 Specifying Addresses for Your NAT Implementation Local IP address an IP address as it appears before translation Global IP address an IP address as it appears after translation Source NAT Local address RP WLAN VLAN 1 VLAN VLAN 1 Global address Destination NAT WLAN RP VLAN 1 VLAN Local address VLAN Global address Rev As you set up NAT, you will specify local and global addresses, so you must understand how the Wireless Module defines these addresses. A local IP address is an IP address (either source or destination depending on the type of NAT) as it appears before it is translated with NAT. A global IP address, conversely, is the IP address as it appears after it is translated with NAT. For source NAT, the concept is straight-forward enough. For example, a station in a wireless network could have a local IP address of After this address is translated by the module, the station would have a global IP address of , which is the Wireless Module s address in VLAN 1 (the VLAN used in the wired network). Each local address would, of course, be different for each wireless station, but typically (that is, with dynamic NAT) every local addresses would be translated to the same global address of Destination NAT reverses the local and global addresses. For example, you might set up destination NAT to force wireless stations to contact a private server at a public address (say, the address of the Wireless Module on the wireless network) rather than at the server s private address. Originally, the wireless station destines the traffic to the Wireless Module (the address that the server appears to use), so that is the local address. The global address is the server s actual IP address because this is the address after destination NAT has occurred. Rev

6 Plan Your NAT Configuration Consider your network topology and security needs Determine your requirements for NAT Conserve IP addresses and separate VLANs for wireless and wired traffic Conceal IP addresses of servers on the private, wired network Record the IP addresses needed for your NAT configuration Rev Now you have all the concepts and tools you need to plan your NAT configuration. First, consider your network topology and security needs and determine your requirements for NAT. In other words, which types of NAT must you configure, and to which traffic should you apply NAT? There are a couple of reasons why you might want to use NAT. In the first scenario, you want to separate wireless and wired subnetworks to conserve address space on your LAN and perhaps to increase security. However, you want to integrate wireless traffic onto the wired network with a minimum of hassle. You don t want to configure routes back to the wireless subnetworks and so forth. Have the module place wireless stations in a certain VLAN reserved for them. Remember to configure DHCP to assign addresses to wireless stations in that VLAN. Define the VLAN as an inside VLAN, and configure dynamic NAT on inside traffic. Now, all wireless stations seem to have the address on one of the Wireless Module s outside interfaces. In the second scenario, you configure NAT because you need to conceal IP addresses used in your LAN from wireless users. You would still want to separate wired and wireless VLANs. However, instead of configuring inside source NAT, you would configure inside destination NAT. Wireless stations direct traffic to the private servers to a public address, and the Wireless Module translates the destination to the correct server address. You set up static definitions for destination NAT. Each definition allows you to map a destination port, as well as IP address, to a particular new address, so several wired servers can share the same public address advertised to wireless users. Once you have decided what your requirements are, record the IP addresses necessary for your NAT configuration. Rev

7 Configure an ACL to Select Traffic for Dynamic NAT Determine which IP addresses the standard IP ACL should select: Typically, permit all addresses in subnets corresponding to the NATed interfaces. Often, these addresses are issued through DHCP. In this example, you would configure an ACL with two rules: permit /24 permit /24 Wireless network = Inside Downlink Wireless Edge Services xl Module WLANs VLANs RPs VLAN 8 VLAN 1 VLAN 12 Inside Outside Uplink DHCP Pools Pool 1 (VLAN 8) /24... Pool 2 (VLAN 12) /24... Rev Remember that with dynamic NAT, you select the local source addresses on which to apply NAT by configuring a standard IP ACL. The simplest way to configure the ACL is to first determine to which interfaces NAT applies. Each VLAN is, of course, associated with a subnetwork, and stations in the VLAN use IP addresses in that subnetwork often assigned through DHCP. Typically, you should permit NAT on all addresses in these subnets. In this example, you are configuring dynamic source NAT on inside traffic and the inside interfaces will be VLANs 8 and 12. The DHCP pools in the slide show the subnetworks associated with the VLANs, and the slide also lists the two rules for permitting addresses in those subnets. We ve laid the groundwork for planning the NAT configuration. Now I ll take you step through the Web browser screens. Rev

8 Define Outside or Inside Interfaces Rev You will now learn how to assign interfaces as either inside or outside interfaces, as I talked about earlier. NAT configurations have no effect until you do this. To define an interface to either inside or outside, you need to go to the Add Interface screen. Get there by selecting Security > NAT and clicking the Interfaces tab. To add an interface, click the Add button. The Add Interface screen displays. In the Interface field, use the drop-down menu to select an interface configured on the module (such as VLAN1, shown in the slide). In the Type field, use the drop-down menu to select either Inside (Private) or Outside (Public). Then click the OK button. Rev

9 Configure Dynamic Translation Rev You can now configure dynamic NAT. For each NAT configuration that will use dynamic NAT, you need to first set up an ACL, as I mentioned earlier, to select the source addresses for NAT. Now select Security > NAT and click the Dynamic Translation tab. Then click the Add button. On the Add Dynamic Translation screen, from the NAT Interface drop-down menu, select the interfaces to which dynamic NAT applies: Inside (Private) or Outside (Public). You just defined these interfaces, so you should remember which type you want. Then, in the NAT Address Type field, leave the setting at Source, since it is the only option permitted for dynamic translation. From the Access List drop-down menu, select the ACL you already configured. Remember: for inside NAT choose an ACL that selects IP addresses in inside VLANs and vice versa for outside NAT. Next, from the Interface drop-down menu, select one of the module s VLAN or tunnel interfaces. The Wireless Module translates the source address to the IP address on the specified interface. Ethernet interfaces are named vlan1, vlan2, and so on; GRE tunnel interfaces are named tunnel1, tunnel2, and so on. You should select an interface of a different type than the NAT interface for this configuration. For example, if you have selected Inside (Private) for the NAT Interface, choose, for the Interface, an interface on the outside network. If you are configuring dynamic NAT on wireless traffic, choose an interface that is tagged on the uplink port. Then click the OK button. The definition for dynamic translation is now listed on the Security > NAT > Dynamic Translation screen. Rev

10 Configure Static NAT Rev This slide shows you how to configure static translation should you decide that this is the type of NAT best for you environment. Select Security > NAT and click the Static Translation tab. Then click the Add button, which will take you to the Add Static Translation screen. The NAT section of this screen, gives you similar choices to those for the first two drop-down menus of the dynamic NAT screen. For the Interface Type, select either Inside (Private) or Outside (Public), remembering the definitions you made earlier. So if you choose Inside (Public), the Wireless Module applies this static NAT definition to traffic that arrives on an inside interface as defined by you. Unlike for dynamic NAT, you can choose the Address Type: Source (translate the source IP address in the IP header) or Destination (translate the destination IP address in the IP header). Next, in the Local Address field, enter the IP address to be translated. This address depends on the your choice for the Address Type. Remember that a few slides ago, you saw where to find the local and global addresses for both source and destination NAT. Then, choose either TCP or UDP in the Protocol drop-down menu and, in the Local Port field, enter the port on which traffic to be translated arrives (from 1 through 65,535). These are important settings for destination NAT because it allows you to set up port forwarding. For example, you can configure one definition that applies to only HTTP traffic and another that applies only to FTP traffic, and both types of traffic reach the appropriate server. Finally, in the Global Address field, enter the address as it should appear after translation. In the Global Port field, enter the port to which the Wireless Module should forward the traffic. This field is optional and provides port translation. (If you don t enter anything, the module sends the traffic to the port on which it arrived.) For example, your company s Web server uses a private port. Traffic for the server is destined to the Wireless Module and the standard HTML port (80). The Wireless Module translates the traffic to the Web server s private address and a private port, selected by your company. The private port is what you enter in the Global Port field. Click the OK button. The static NAT definition is now listed on the Security > NAT > Static Translation screen. Rev

11 View NAT Status 1 Rev Now that you have configured NAT, you can check its status. To view NAT status, select Security > NAT and click the Status tab. The screen displays a row for each active session to which the Wireless Edge Services xl Module has applied NAT. The columns show the IP addresses associated with the session: Inside-Global refers to the source IP address as it appears in the destination network (that is after translation). Inside-Local refers to the source IP address as it appears originally in the source network. Outside-Global refers to the destination IP address as it appears after translation in the destination device s network Outside-Local refers to the destination IP address as it appears originally in the source device s network. For example, if you have configured dynamic source NAT on inside traffic, the Inside-Local column lists the IP address of the source device in the inside network, and the Inside-Global column lists the translated IP address. Rev

12 Use Model Securing a small network from less trusted wireless traffic Wireless Services xl Module As a Router, DHCP Server, and RADIUS Server Servers VLAN /24 MyCompany WPA with 802.1X Dynamic VLANs Downlink WLAN 1 VLAN 8 Dynamic VLANs VLAN 12 VLAN 14 Firewall ACLs NAT Uplink Management VLAN VLAN 4 (Servers) DHCP Pools VLAN /24 VLAN /24 RADIUS requests RADIUS Server Employees Contractors VLAN 12 VLAN 14 Rev We ve covered a lot of capabilities. Let s pause for a minute and look at how to combine them for a complete solution. The company in this scenario has a relatively small LAN with limited security capabilities. However, the company does have several servers that store sensitive information. The company s new Wireless LAN System is intended to provide mobile access to these servers for contractors and employees. However, network administrators are well aware that without careful planning granting mobile access for legitimate users can easily lead to allowing unauthorized access by illegitimate users. The first step to securing the network is guarding the WLAN with strong encryption and user-based authentication. The company chooses WPA with 802.1X. Even though this small company does not have a RADIUS server, the internal RADIUS server on the Wireless Module enables it to choose this high-security option. The internal server also enables dynamic VLANs; the module places mobile users in two different VLANs based on whether they are employees or contractors. As you can see, after the module s RADIUS server assigns users to VLANs, the module also takes responsibility, as a DHCP server, for assigning IP addresses to the wireless stations. Finally, the module routes traffic from the wireless stations to the servers VLAN, which is tagged on the module s uplink port. As the module routes the traffic, it runs basic firewall checks and applies the appropriate ACLs. For example, you could place an ACL on the VLAN 14 interface (the contractors VLAN) that permits access to one server, but denies access to another. The module also implements NAT, translating IP addresses for the wireless stations to the module s IP address on the server VLAN, allowing the servers to send traffic back to the VLANs for wireless users. Rev

13 Use Model Securing wireless and wired traffic in a small network VLAN /24 Servers LAN Dynamic VLANs Wireless Services xl Module As a Router, DHCP Server, and RADIUS Server MyCompany WPA with 802.1X Dynamic VLANs Downlink WLAN 1 VLAN 8 Dynamic VLANs VLAN 12 VLAN 14 Firewall ACLs NAT Uplink Management VLAN VLAN 4 (Servers) 802.1X DHCP Pools VLAN /24 VLAN /24 RADIUS requests RADIUS Server Employees Contractors VLAN 12 VLAN 14 RADIUS requests Rev This use model is similar to the last. However, this company is very small and has decided to use the Wireless Edge Services xl Module to provide services for all stations wired as well as wireless. Wired stations connect to the wireless services-enabled switch, which enforces 802.1X on all interfaces to which workstations might connect. You ve configured the switch as a client on the Wireless Module s internal RADIUS server, and the switch forwards RADIUS requests to this server, allowing wired stations to complete 802.1X authentication. At this point, the Wireless Module treats the wired stations much as it would wireless stations. It places them in dynamic VLANs and issues IP addresses to them from its DHCP pool. The Wireless Module can route and filters traffic that it receives from the wired stations, just as it routes and filters that from the wireless stations. Note, however, that you must tag the module s uplink port for these VLANs to allow the module to receive traffic on them from the wired stations. Rev

14 Rev Rev